[apparmor] 2.5.1 build failure on Arch
atswartz at gmail.com
Tue Oct 19 21:24:50 BST 2010
On 10/19/2010 12:31 PM, John Johansen wrote:
> On 10/19/2010 09:50 AM, andrew thomas wrote:
>> On 10/18/2010 11:49 AM, John Johansen wrote:
>>> On 10/15/2010 09:48 PM, andrew thomas wrote:
>>>> I am trying to build 2.5.1 on Arch Linux and am getting an error similar to this build:
>>>> It gets through autogen, configure, and make in libapparmor.
>>>> Then make in utils, but fails make in parser.
>>>> Here is the tail end from
>>>> $ cd parser&& /usr/bin/make
>>>> The error message does state that: Kernel needs AppArmor 2.4 compatibility patch.
>>>> But, I believe that I applied the proper patches to the kernel.
>>>> Any ideas?
>>> Hey Andrew it actually built but is failing during the caching function tests. These are run against the current kernel, and it isn't finding the AppArmor 2.4 interface.
>>> You can test for your self by looking for the file /sys/kernel/security/apparmor/profiles if it doesn't exist you don't have the AppArmor 2.4 compatibility patch on your kernel.
>>> The patch isn't actually necessary but several things will not work if it is not present. The parser won't do compiled policy caching, the init scripts won't work, and aa-status and a few other commands won't work either.
>>> Basically anything that requires introspection of the load policy or supported kernel features doesn't work correctly. Every thing else should.
>>> If you are building 2.5.1 on a buildd with a kernel that doesn't support the AppArmor 2.4 interface, then I suggest you disable the test in the Makefile with a small patch.
>> I did look in /sys/kernel/security and it is empty.
> This says to me that the LSM is probably not configured correctly.
>> When I compiled the kernel, I applied these two patches ( http://pastebin.ubuntu.com/515768/& http://pastebin.ubuntu.com/515769/ ) that originally were ubuntu-maverick.git-0d8f737f1c8ad8415b3d5589caf63dee3c1b3d6f.patch& ubuntu-maverick.git-8cb3e0f8ad669be1e2027cbafb58fa7cd1928f76.patch which I modified so they also created security/apparmor/include/net.h& security/apparmor/net.c and would apply cleanly. When I use this on natty to compile the kernel, apparmor (2.5.1~rc1) works as expected, but when I compile on ArchLinux, using the natty-git source, /sys/kernel/security is empty. Any clues to what I am doing wrong? Trying to get apparmor to work on arch may be beyond my abilities, I am sorry if I am wasting your time.
> What config options do you have set under security? These will affect whether AppArmor is compiled and whether it is the default LSM. Since there can only be a single lsm active at a time another LSM can block apparmor.
> specifically you need
> in make menuconfig this will look like
> y AppArmor
> You probably want to set
> in menuconfig it is "AppArmor boot parameter default value"
> this tells the apparmor module to register it self by default at boot, if it is 0 you must specify apparmor=1 on the kernel command line for apparmor to take effect even if apparmor is set as the default security module.
> The other config options that can affect apparmor are
> SECURITY=y menuconfig "y Enable different security models"
> SECURITYFS=y menuconfig "y Enable the securityfs filesystem"
> SECURITY_NETWORK=y menuconfig "y Socket and Networking Security Hooks"
> SECURITY_PATH=y menuconfig "y Security hooks for pathname based access control"
> DEFAULT_SECURITY=apparmor menuconfig "Default security module"
> this one is not required and can be overriden on the kernel command line,
> so if apparmor is not the default lsm you would use
> If this doesn't work, can you attach your config and point me at a tree so
> I can build and test the kernel, and figure out what is wrong
Thanks for your reply John,
The weird thing is that I am using the same .config file to build my
kernels on ubuntu, debian & arch and apparmor works just fine on the
first two. Here is the security section.
# Security options
# CONFIG_KEYS_DEBUG_PROC_KEYS is not set
# CONFIG_SECURITY_NETWORK_XFRM is not set
# CONFIG_SECURITY_SELINUX is not set
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_YAMA is not set
# CONFIG_IMA is not set
# CONFIG_DEFAULT_SECURITY_DAC is not set
I am getting the source from
patch -p1 -R < ../apparmorB.patch
patch -p1 -R < ../apparmorA.patch
git reset --hard origin/master
patch -p1 < ../apparmorA.patch
patch -p1 < ../apparmorB.patch
removing and reapplying the patches when I update because they rebase
against Linus' tree. The two patches are the patches that I posted on
pastebin in my last post. What could be different about Arch that would
make the kernels not work right?
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
More information about the AppArmor